3-DAY TRAINING 7 – Offensive Open Source Intelligence
DURATION: 3 DAYS
CAPACITY: 20 pax
SEATS AVAILABLE: 18
USD2199 (early bird)
Early bird registration rate ends on the 31st of May
RECONNAISSANCE, the very first phase of any Risk Assessment Exercise, is often underestimated by many
security professionals. Every pentester’s arsenal should, however, include Open Source Intelligence (OSINT)
and active reconnaissance for an effective assessment and measure the security posture against real world
This advanced training not only talks about using OSINT to extract data but also focuses on the significance of
this data and how it could be directly enriched and used offensively for attacking and compromising Modern
We will take a deep-dive into various methodologies for extracting useful information from the internet.
Furthermore, we will cover how this extracted information can be used in attack scenarios to get initial
foothold in multiple ways within an organisation’s network and further exploit it to gain and maintain
elevated access. The course will cover topics like:
Mapping the Attack Surface
Enriching Collected Data
Attacking Federation Server
Exploiting Domain Trust
Practical Social Engineering, etc.
This 3 days course covers a wide range of topics ranging from recon to launching active targeted attacks,
to indulge the participants into real world scenarios, simulated lab environment and case studies so that
they can get proficient in techniques and methodologies. Each participant will also be provided ONE
MONTH FREE ACCESS to our Private Lab mimicking the modern age infrastructure, as well as decoy
accounts and organization’s social presence, where they can practise the skills learnt during the course.
Key Learning Objectives
Learn to perform reconnaissance of modern organizations with hybrid infrastructure.
Gain a deep understanding of how to collect, enrich and utilize actionable intelligence to launch targeted attacks.
Learn how to move laterally within a modern network, escalate privilege and maintain access.
Perform OSINT on live targets and attacks in lab environment.
Who Should Attend
Bug Bounty Hunters
Anyone with an interest in privacy, social media and OSINT
Basics of penetration testing.
Hardware / Software Requirements
Attendees should have a laptop with admin access on it, minimum 4GB RAM and at least 30 GB of free HDD space.
Laptop should have a browser and should support Wifi Connection in order to reach Internet.
Any OS is fine (Windows/Mac/Linux). Everything else will provided in the Student kit.
Note: Please avoid Chromebooks.
What Students Will Be Provided With
One Month Private Lab Access
Student Pack which contains
OSINT and Pentest Cheat-Sheets
Answers to Lab Exercises
Agenda – Day 1
Target Scoping and Mapping the Attack Surface
ASN ID, IP Lookups, Allocated IP Range Extraction, Domain IP History
WhoIs, Reverse WhoIs, IP Lookup, Identifying ASN IDs
Allocated IP Ranges for Specific ASN ID
DNS Records, Mass-Resolve
Advanced Google Dorking, Certificate Transparency, LDNS Walking
Internet Scan Repositories
Organization’s Social Media Profiling
Company profiling through Crunchbase, zoominfo, etc.
Identifying Organization’s Associations
Acquisitions, Mergers, Vendors, Customers etc.
Identifying domains/sub-organizations/acquisitions under a company.
Hunting Code Repositories, Dark Web, Paste(s) Sites and Leaked Data
Exploring Code Aggregators
Searching Data in Onion and Paste Sites
Crunchbase, Email Hunter, Linkedin, ZoomInfo
Automated Tools and Chrome Addons
Identifying Server Instances
Discovering Cloud Storage Objects
Federation/AD Server Discovery
Enriching OSINT Data (scanning, ports, shodan, screenshots)
Generating Username/Password Patterns
Bucket/Blogs/Spaces Pattern Generation
Custom Scripts for Generating Common Bucket/Spaces/Blobs names
Tech Stack Profiling
Wappalyzer, Build-with, Job Portal
Port Scanning (Active/Passive)
Using Hacker Search Engines
Capturing Screenshots of Exposed Service
Screenshots for Websites and other services
Tools / Custom Scripts
Identifying SSO/Login/Admin/VPN Portal(s)
Identifying Login URLs using Spidering and Regex Patterns
Identifying Third Party SSO Integrations
Explore Breached Password Databases
Locating and Extracting Public Dumps
Spidering and Google Dorking to Find Documents
Automating CSE for Dork Matching
Accumulating Dorks from GHDB
Creating and Configuring a CSE
Agenda – DAY 2
Attacking and Exploitation
Targeted Credential Spraying on Infrastructure Assets and Third Party Authentication
Spraying Credentials on Login/SSO/Admin/VPN Portals/Third Party Service
Bypassing OTP Login using User Configurations
Compromising Business Communication Infrastructure (BCI)
Identifying Communication Infrastructure
Access User Communication Using API Keys/Credentials/Access Tokens, etc.
Exploring the Compromised Assets [Bonus Lab Exercise]
Explore Groups, Channels, Privileges, Shared Files, etc.
Identify Credentials, API keys, Server Secrets, Internal Domain Information, etc.
Attacking Network Services using collated data
Running Basic Automated checks on Network services
Password Spraying on Network Services
Attacking DB Services
Stealing information from Buckets/Blobs
Understanding Permission Types on Cloud Objects
Cloud Storage Object Hijacking
Exploiting Applications using Cloud Storage Objects